Even more detrimental to believe PG recommended VPNs are no logs / no monitoring[1][2] / no backdoor;[3] these remain pinky promises (PG’s knowledge base notes this). No popular public VPN provider guarantees this, as of today. Whereas, a few niche ones may do to varying degrees.
From Proton’s rather honest infrastructure audit report from 2024 (no shortage of audit reports that read like a marketing brochure):[4]
"There is an additional accounting service whose goal is to prevent abuses and ensure the continuity of the Proton VPN. Its actions are performed by a dedicated external system, owned, and managed solely by Proton Team. These servers are kept in a secure location in Switzerland. User data is not logged or stored there in redundant, unnecessary amount. The accounting service was outside the scope of the audit.” securitums-security-report-for-proton-vpns-no-logs-policy-2024 : SECURITUM : Free Download, Borrow, and Streaming : Internet Archive
Discussion: What's the purpose of paying a VPN provider anonymously? - #4 by ignoramous
“However, the Swedish police authority may have access to information by way of coercive measures such as seizure and search of premises.” … “According to Swedish law, a police authority may request access to personal data through a coercive measure in criminal procedures … Examples of these types of coercive measures may be secret interception of electronic communications, secret electronic communications monitoring, secret camera surveillance, retention of mail and secret room interception.” Swedish legislation relevant to us as a VPN provider ↩︎
Yet another pinky promise: “DSA regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms and app stores. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. Mullvad, in its capacity as a provider of VPN services, is subject to certain provisions of the DSA but is not imposed with any monitoring obligation. Instead, it is stipulated by the DSA that Mullvad, for instance, should provide transparent terms and contact information. Mullvad asserts that it fulfils the requirements of the DSA.” Swedish legislation relevant to us as a VPN provider ↩︎
kfreds, co-founder at Mullvad AB: “Regarding backdooring websites, that’s interesting. I’ll have to ask someone about that. Thanks.” … “Having said all of this, I am concerned about National Security Letters and similar concepts. Technologies like reproducible builds, transparency logs, and remote attestation can help there.” … “Physical security is hard. However, I see no reason to limit ourselves to only software-based mitigations.” > *Here I'd say look at the jurisdictions of the orgs.* Per *Covert Surveillance... | Hacker News ↩︎
See if you spot the clever word salad about ‘logs’ but not in an ‘unnecessary amount’. ↩︎